** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI CSIRT ADVISORY [EGI-ADV-20130619]
Title: EGI CSIRT Advisory "Critical" RISK - CVE 2013-3567 concerning puppet [EGI-ADV-20130619]
A vulnerability has been found in puppet, which allows remote unauthenticated command exection. This has been fixed by the puppet providers, and sites must update as soon as possible and in any case within 7 days or risk site suspension.
Details are available from puppet [R 1]
Some further information is available from Redhat bugzilla [R 2]
This issue has been assessed as "Critical" jointly by the EGI CSIRT and EGI SVG Risk Assessment Team
Puppet versions prior to Puppet 2.7.22 and 3.2.2 are affected.
Component installation information
Site administrators who run puppet are probably familiar with the installation procedure, and should see the puppet site for update.
All sites running puppet 2.X should ensure they are running 2.7.22 or later, if not upgrade
All sites running puppet 3.X should ensure they are running 3.2.2 or later, if not upgrade
All running resources MUST be either patched or otherwise have a
work-around in place by 2013-06-26 T21:00+01:00. Sites failing to act and/or
failing to respond to requests from the EGI CSIRT team risk site suspension.
This vulnerability was reported to puppet by Ben Murphy and fixed by the puppet team.
Leif Nixon alerted the EGI CSIRT team to this issue.
[R 1] http://puppetlabs.com/security/cve/cve-2013-3567/
[R 2] https://bugzilla.redhat.com/show_bug.cgi?id=974649